From b7acc910228bb6eb28ff5da529ecc018e5bd1be5 Mon Sep 17 00:00:00 2001
From: Derek Marcotte <554b8425@razorfever.net>
Date: Thu, 19 Oct 2017 06:27:25 -0400
Subject: [PATCH 1/2] Added OpensslRandPseudo random source.

This uses openssl_random_pseudo_bytes.  This is suggested for use only with
with php5-openssl compiled against LibreSSL:

  OpenSSL copying RNG state on fork:
    https://github.com/ramsey/uuid/issues/80#issuecomment-188286637
  Fixed in LibreSSL:
    http://opensslrampage.org/post/91910269738/fix-for-the-libressl-prng-issue-under-linux

Additionally, CVE-2015-8867 was fixed only in versions 5.6.12, 5.5.28,
5.4.44 and above:

  https://bugs.php.net/bug.php?id=70014
  http://www.php.net/ChangeLog-5.php

CVE-2015-8867 does not affect versions compiled against LibreSSL.

For these reasons, it only is considered a LOW source of randomness,
unless it is compiled against LibreSSL.

The reason for this to exist at all is because of problems with the
nature of /dev/urandom.  For example, if we cannot open or read the
file.  openssl_random_pseudo_bytes should never fail.
---
 .../Random/Source/OpensslRandPseudo.php       | 87 +++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 lib/PasswordLib/Random/Source/OpensslRandPseudo.php

diff --git a/lib/PasswordLib/Random/Source/OpensslRandPseudo.php b/lib/PasswordLib/Random/Source/OpensslRandPseudo.php
new file mode 100644
index 0000000..e92bdf1
--- /dev/null
+++ b/lib/PasswordLib/Random/Source/OpensslRandPseudo.php
@@ -0,0 +1,87 @@
+<?php
+/**
+ * The OpensslRandomPseudo Random Number Source
+ *
+ * This uses openssl_random_pseudo_bytes.  This is suggested for use only with
+ * with php5-openssl compiled against LibreSSL:
+ *
+ *   OpenSSL copying RNG state on fork:
+ *     https://github.com/ramsey/uuid/issues/80#issuecomment-188286637
+ *   Fixed in LibreSSL:
+ *     http://opensslrampage.org/post/91910269738/fix-for-the-libressl-prng-issue-under-linux
+ *
+ * Additionally, CVE-2015-8867 was fixed only in versions 5.6.12, 5.5.28,
+ * 5.4.44 and above:
+ *
+ *   https://bugs.php.net/bug.php?id=70014
+ *   http://www.php.net/ChangeLog-5.php
+ *
+ * CVE-2015-8867 does not affect versions compiled against LibreSSL.
+ *
+ * PHP version 5.3
+ *
+ * @category   PHPPasswordLib
+ * @package    Random
+ * @subpackage Source
+ * @author     Derek Marcotte <554b8425@razorfever.net>
+ * @copyright  2011 The Authors
+ * @license    http://www.opensource.org/licenses/mit-license.html  MIT License
+ * @version    Build @@version@@
+ */
+
+namespace PasswordLib\Random\Source;
+
+use PasswordLib\Core\Strength;
+
+/**
+ * The OpensslRandomPseudo Random Number Source
+ *
+ * This uses openssl_random_pseudo_bytes.  This is suggested for use only with
+ * with php5-openssl compiled against LibreSSL:
+ *
+ *   OpenSSL copying RNG state on fork:
+ *     https://github.com/ramsey/uuid/issues/80#issuecomment-188286637
+ *   Fixed in LibreSSL:
+ *     http://opensslrampage.org/post/91910269738/fix-for-the-libressl-prng-issue-under-linux
+ *
+ * Additionally, CVE-2015-8867 was fixed only in versions 5.6.12, 5.5.28,
+ * 5.4.44 and above:
+ *
+ *   https://bugs.php.net/bug.php?id=70014
+ *   http://www.php.net/ChangeLog-5.php
+ *
+ * CVE-2015-8867 does not affect versions compiled against LibreSSL.
+ *
+ * @category   PHPPasswordLib
+ * @package    Random
+ * @subpackage Source
+ * @author     Derek Marcotte <554b8425@razorfever.net>
+ * @codeCoverageIgnore
+ */
+class OpensslRandomPseudo implements \PasswordLib\Random\Source {
+
+    /**
+     * Return an instance of Strength indicating the strength of the source
+     *
+     * @return Strength An instance of one of the strength classes
+     */
+    public static function getStrength() {
+        if ( preg_match('/^LibreSSL/i', OPENSSL_VERSION_TEXT) !== 1 ) {
+            return new Strength(Strength::LOW);
+        }
+
+        return new Strength(Strength::MEDIUM);
+    }
+
+    /**
+     * Generate a random string of the specified size
+     *
+     * @param int $size The size of the requested random string
+     *
+     * @return string A string of the requested size
+     */
+    public function generate($size) {
+        return openssl_random_pseudo_bytes($size);
+    }
+
+}

From a0c2ebdc5297b6b15c94b110edf4c3cf3a3a5da4 Mon Sep 17 00:00:00 2001
From: Derek Marcotte <derek.marcotte@experiencepoint.com>
Date: Thu, 19 Oct 2017 09:18:56 -0400
Subject: [PATCH 2/2] Fix file naming, added check for openssl_ existing.

---
 .../{OpensslRandPseudo.php => OpensslRandomPseudo.php}   | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 rename lib/PasswordLib/Random/Source/{OpensslRandPseudo.php => OpensslRandomPseudo.php} (90%)

diff --git a/lib/PasswordLib/Random/Source/OpensslRandPseudo.php b/lib/PasswordLib/Random/Source/OpensslRandomPseudo.php
similarity index 90%
rename from lib/PasswordLib/Random/Source/OpensslRandPseudo.php
rename to lib/PasswordLib/Random/Source/OpensslRandomPseudo.php
index e92bdf1..36e0596 100644
--- a/lib/PasswordLib/Random/Source/OpensslRandPseudo.php
+++ b/lib/PasswordLib/Random/Source/OpensslRandomPseudo.php
@@ -66,10 +66,12 @@ class OpensslRandomPseudo implements \PasswordLib\Random\Source {
      * @return Strength An instance of one of the strength classes
      */
     public static function getStrength() {
-        if ( preg_match('/^LibreSSL/i', OPENSSL_VERSION_TEXT) !== 1 ) {
+        if (!defined('OPENSSL_VERSION_TEXT')) {
+            return new Strength(Strength::VERYLOW);
+        }
+        if (!preg_match('/^LibreSSL/i', OPENSSL_VERSION_TEXT)) {
             return new Strength(Strength::LOW);
         }
-
         return new Strength(Strength::MEDIUM);
     }
 
@@ -81,6 +83,9 @@ public static function getStrength() {
      * @return string A string of the requested size
      */
     public function generate($size) {
+        if (!defined('OPENSSL_VERSION_TEXT')) {
+            return str_repeat(chr(0), $size);
+        }
         return openssl_random_pseudo_bytes($size);
     }